Colonial Pipeline Confirms Ransomware Causing Disruptions

This is a breaking news story. Check back for additional details.

See Also: Live Webinar | Software Security: Prescriptive vs. Descriptive

Colonial Pipeline, which oversees more than 5,500 miles of pipeline that supplies fuel throughout the U.S. East Coast, confirmed Saturday that a ransomware attack has distributed its services and the company has taken some of its IT systems offline as a precaution, the company noted in a statement posted to its website.

Colonial provided only scant details of the incident, which was first reported on Friday. In its statement, the company did not indicate what type of ransomware was used during the attack, or if the company had been contacted by a criminal gang. Colonial did note that it continues to investigate the cyber incident along with a third-party security firm, while certain IT systems remain offline.

“We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems,” according to the company’s updated statement. “Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.”

On Saturday, a company spokeswoman told Information Security Media Group that Colonial had no additional information to share at this point.

That Colonial operates refineries and pipelines that supply fuel and other petroleum products throughout the Eastern and Southern U.S. means the company is considered part of the nation’s critical infrastructure and that officials from the Cybersecurity and Infrastructure Security Agency, along with the FBI, would likely be called in to investigate the attack.

A CISA spokesperson could not be immediately reached for comment on Saturday.

Ransomware Attack

The Washington Post, citing two unnamed U.S. officials, first reported that ransomware was the likely source of the attack. The officials did not indicate what specific ransomware variant or cybercriminal group might have been responsible for the incident.

Former CISA Director Christopher Krebs took to Twitter on Saturday to declare that these types of ransomware attacks have gotten out of control more comprehensive approaches are needed. Over the past several months, Krebs has been advocating for more funds for his former agency, as well as state and local governments, to address incidents involving these types of crypto-locking malware attacks (see: Krebs: States Need a Cyber Funding Boost).

Ransomware shuts down one of the most critical regional pipelines. This has gotten out of control. https://t.co/xvRNQ0GAIO

— Chris Krebs (@C_C_Krebs) May 8, 2021

Chris Pierson, CEO and founder of the security firm BlackCloak, says that following at attack like this, the entire U.S. energy sector, not just Colonial, needs to rethink its approach to cybersecurity.

“This attack, if initial details are accurate, emphasizes that our nation’s energy sector has a long way to go to ensure a higher level of resilience against cyberattacks and disruption which are a part of everyday business life,” Pierson tells ISMG. “Let’s figure out what was missed and get the right information into the hands of those that govern and lead our critical infrastructure so they can build cybersecurity into their enterprise risk governance more effectively.”

In April, the Institute for Security and Technology’s Ransomware Task Force published a framework that included 48 recommendations for government agencies and private firms to adopt to better address ransomware attacks, including more regulations of cryptocurrency markets and better sharing of information (see: Fighting Ransomware: A Call for Cryptocurrency Regulation).

Critical Infrastructure Attacks

Founded in 1962, the Colonial Pipeline is based in Georgia and connects refineries in the Gulf Coast to customers throughout the Southern and Eastern U.S. through a pipeline system of more than 5,500 miles. That pipeline carries gasoline, diesel, jet fuel, home heating oil as well as fuel for the military, according to the company’s website.

Colonial transports about 45% of all the fuel consumed on the East Coast and serves almost 50 million U.S. customers, the company notes.

The attack involving Colonial is the second major incident this year where a critical infrastructure facility has been targeted.

In February, an attacker or attackers targeted the water treatment facility in Oldsmar, Florida. At the time, local officials and law enforcement reported that an unknown person or group gained remote access to a system to increase the amount of lye in the city’s water system, but the attack was immediately thwarted (see: Florida City’s Water Hack: Poor IT Security Laid Bare).

The initial investigation showed that the plant’s employees reportedly used TeamViewer for remote access and that computers at the Florida plant reportedly were network-connected to the supervisory control and data acquisition – aka SCADA – system and were running outdated 32-bit versions of Windows 7 (see: Water Treatment Hack Prompts Warning From CISA).

The breach in Florida, combined with the ongoing investigations into the supply chain attack that targeted SolarWinds in December 2020 and attacks earlier this year involving vulnerable Microsoft Exchange email servers, have prompted calls by lawmakers on both sides of the aisle for additional funding for CISA and more expansive breach notification when these attacks do occur (see: Senators Push for Changes in Wake of SolarWinds Attack).

Pierson says that these types of attacks, whether it’s nation-state groups or criminal gangs wielding ransomware, should prompt private firms and government agencies to rethink their approaches to protecting critical infrastructure.

“Ensuring the protection, resiliency and fast repair of cyber damage is key, and the fact that lower-level malware attacks can be successfully launched against it are problematic,” Pierson says. “It potentially means that operators of these vast systems are not spending on the right types of cybersecurity controls, supporting their cyber teams with the right education, tools, and personnel to do their jobs, and are not reacting to cyber risk in a way that is well-governed from the top down.”

Editor’s Note: This story was updated to include Colonial’s statement that the attack was related to ransomware.